E-mails · E-mails Email has become a primary means of communication. Email can easily be forged...
Transcript of E-mails · E-mails Email has become a primary means of communication. Email can easily be forged...
E-mails
Email has become a primary means of
communication.
Email can easily be forged
Email can be abused
Spam
Aid in committing a crime …
Threatening email, …
Origin & Sender of the E-Mail
Party refutes the emails, allege forgery
IP Address of sender matches, still the party refute the
emails
Sender accept the mail but challenge attachments
Email coming from Proxy Server
Challenges to E-mail Authenticity
Study of Email:
Identifying the source system domain, IP Address
Tracing the sender
Date/time of sending email
Message / contents
Locate the source of e-mail & its sender
E-mail tracing…
Email Protocols:
Email program such as outlook is a client
application.
Needs to interact with an email server:
Post Office Protocol (POP)
Internet Message Access Protocol (IMAP)
Simple Mail Transfer Protocol: SMTP
Email Protocols:
Post Office Service Protocol Characteristics
Stores only incoming messages.
POP Investigation must be at the workstation.
Stores all messages IMAP
MS’ MAPI
Lotus Notes
Copies of incoming and outgoing messages might be stored on the workstation or on the server or on both.
Web-based send and receive.
HTTP Incoming and outgoing messages are stored on the server, but there might be archived or copied messages on the workstation. Easy to spoof identity.
Naresh([email protected]) sending mail to Ram([email protected])
Ram Naresh
Internet Rediff Server Gmail Server
SMTP SMTP, SMTP…. POP3 or IMAP4
C1 HCU HYD C2BITS Goa
SMTPSMTP POP3/IMAP
Click on Show Original Window Showing Full
Header Appears
http://cyberforensics.in/OnlineEmailTracer/Header.aspx
X-Remote-IP: 171.50.146.253
X-REDF-OSEN: [email protected]
Date: 6 Jul 2016 06:09:15 -0000
Message-ID: <[email protected]>
MIME-Version: 1.0
To: "[email protected]" <[email protected]>
Received: from unknown 171.50.146.253 by rediffmail.com via HTTP; 06 Jul 2016 06:09:15 -0000
X-Senderscore: D=0&S=0
Sender: [email protected]
Subject: =?utf-8?B?TWFpbCBmb3IgSGVhZGVyIEFuYWx5c2lz?=
From: "Naresh Kumar" <[email protected]>
Content-Type: multipart/alternative;
boundary="=_bbc614545e533ca7186fc46b513e40f5"
--=_bbc614545e533ca7186fc46b513e40f5
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="UTF-8"
Hi
This mail is for testing purpose only.
--=_bbc614545e533ca7186fc46b513e40f5
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Hi<br><br>This mail is for testing purpose only.<br><br><br><br>
--=_bbc614545e533ca7186fc46b513e40f5--
4
2
1
3
Delivered-To: [email protected]
Received: by 10.79.9.7 with SMTP id 7csp649857ivj;
Tue, 5 Jul 2016 23:09:18 -0700 (PDT)
X-Received: by 10.98.68.152 with SMTP id m24mr38873398pfi.35.1467785358556;
Tue, 05 Jul 2016 23:09:18 -0700 (PDT)
Return-Path: <[email protected]>
Received: from rediffmail.com (f4mail-235-198.rediffmail.com. [202.137.235.198])
by mx.google.com with ESMTPS id 15si2283824pfx.153.2016.07.05.23.09.17
for <[email protected]>
(version=TLS1_2 cipher=AES128-GCM-SHA256 bits=128/128);
Tue, 05 Jul 2016 23:09:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 202.137.235.198 as permitted sender) client-ip=202.137.235.198;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 202.137.235.198 as permitted sender) [email protected]
Received: (qmail 25568 invoked by uid 510); 6 Jul 2016 06:09:16 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=redf; d=rediffmail.com; b=JoWWDTsl1llu/9TOhON/WLScR8zlPXrmyrMaekYHoTuauoBLWt9kLuTUjToSVJ4zCeziD8YoL5NwQZJilQotYas5aozk974gh3UjWh5QPJoZsbx9+e8h6lAAJUwgpyOw85s+YEUVbXyaBsotwzUjxkYZWLEKWGTTBerxqZaaPPI= ;
x-m-msg: asd54ad564ad7aa6sd5as6d5; a6da7d6asas6dasd77; 5dad65ad5sd;
6
5
In this example, we have sent an e-mail from ‘[email protected]’ to ‘[email protected]’
1. Sender: [email protected]
This represent the name and email address of the person who send theemail.
2. Received: from unknown 171.50.146.253 by rediffmail.com via HTTP; 06 Jul 2016 06:09:15 -0000
This is probably the most vital part of the email header from investigationpoint of view. It represents us that -
The email was sent from a computer having IP address 171.50.146.253
The email was sent on 06 Jul 2016 06:09:15 (GMT).
Contd…
3. To: "[email protected]" <[email protected]>
This represent the name and email address of the receiver.
4. Message-ID: <[email protected]>
Message ID can be broken into the following parts:
20160706060915: Represent the time stamp of the email inyyyymmddhhmmss format.
25557: This number is the reference number that represents thecorresponding email which is unique.
Contd…
5. Received: from rediffmail.com (f4mail-235-198.rediffmail.com. [202.137.235.198])
by mx.google.com with ESMTPS id 15si2283824pfx.153.2016.07.05.23.09.17
for <[email protected]>
(version=TLS1_2 cipher=AES128-GCM-SHA256 bits=128/128);
Tue, 05 Jul 2016 23:09:18 -0700 (PDT)
This represent that the email was received by an SMTP server at GoogleCalled mx.google.com from Rediffmail server at the given date and timethat has the IP Address 202.137.235.198.
Contd…
6. Delivered-To: [email protected]
This shows that the email was delivered to the [email protected].
You have noticed that time and date in the above exampleshave been mentioned as –
06 Jul 2016 06:09:15 -0000
It means that the time mentioned above i.e. 06:09:15 is in GMT whichis 0000 hours.
IST time is 05:30 hours ahead of GMT.
To calculate time in IST, add 05:30 hours to make it IST.
What are we looking for?
171.50.146.253?
Verification of IP addresses:
Regional Internet Registry
APNIC (Asia Pacific Network Information Centre).
ARIN (American Registry of Internet Numbers).
LACNIC Latin American and Caribbean IP address Regional Registry.
RIPE NCC (Réseau IP Européens Network Coordination Centre).
Whois (whois.apnic.net)
www.samspade.org
Numerous other websites.
The best
Whois IP 171.50.146.253
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '171.50.128.0 - 171.50.191.255'
inetnum: 171.50.128.0 - 171.50.191.255
netname: BHARTI-IN
Descr: Bharti Airtel Limited
descr: Transport Network Group
descr: 234, Okhla Phase III
country: IN
admin-c: NA40-AP
tech-c: NA40-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-IN-BBIL
mnt-irt: IRT-BHARTI-IN
changed: @apnic.net 20160108
source: APNIC
1. From: "Naresh Kumar" <[email protected]>
2. Received: from emkei.cz ([2a01:5e0:36:5001::20]) by mx.google.com with ESMTP id uy1si1916593wjb.36.2016.07.05.23.14.48 for <[email protected]>; Tue, 05 Jul 2016 23:14:48 -0700 (PDT)
3. Delivered-To: [email protected]
4. Message-Id: <[email protected]>Date: Wed, 6 Jul 2016 08:18:09 +0200 (CEST)
Server of Rediffmail is Missing
Naresh Ram
Internet Emkei Server Gmail Server
They are sent using –
Open relays
Compromised systems
Self owned email servers
Proxy Server
Hijacked accounts
NeoTracePro
http://neotrace-pro.en.softonic.com/download
Visual IP Trace http://www.visualiptrace.com/download.html
Visual Route
http://www.visualroute.com/download.html
Email Tracker Pro http://www.emailtrackerpro.com/download.html
Email tracer (from CDAC, India)http://cyberforensics.in/OnlineEmailTracer/index.aspx